gpg
Contents
About
The GNU Privacy Guard (GnuPG or GPG)
When not overridden the default GNUPGHOME is ~/.gnupg.
SKS keyservers
The age of the SKS keyserver infrastructure seems to be at an end.
https://www.sks-keyservers.net is going down.
Installation
Install the GnuPG suite
1 apt install gnupg
Install some useful GUIs
1 apt install kleopatra seahorse
Show keys
Show pub key info
List keys
Show public keys
Show secret keys
Extract long keyid e.g. for usage in pass .gpg-id
Create keys
Default: rsa3072
Quickly generate a new keypair
1 gpg --quick-gen-key "Tobias Stein <tobias.stein@example.com>"
Create a key
1 gpg --gen-key
Revocation certificate will be at
$GNUPGHOME/openpgp-revocs.d
usually ~/.gnupg/openpgp-revocs.d
More detailed wizard
1 gpg --full-gen-key
Export keys
Export base64-encoded pubkey
Import keys
Import secret key that has previously been exported by Thunderbird.
Generate revocation certificate
Create a revocation certificate
Delete keys
Delete private and public key
1 gpg --delete-secret-and-public-key your-email@example.com
Import gpg public keys usage with apt
Old way with apt-key
With the ke from the website
With apt-key adv as a frontend/wrapper to gpg
With gpg alone
apt-key is deprecated
please see man 8 apt-key
- Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring. If such usage of apt-key is desired the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is required. apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
New way with own file/keyring
With keys from the website
1 ### JITSI
2 PUBKEY_URL="https://download.jitsi.org/jitsi-key.gpg.key"
3 KEYRING_DIR="/etc/apt/keyrings"
4 KEYRING_FILE="jitsi-keyring.gpg"
5 KEYRING="$KEYRING_DIR/$KEYRING_FILE"
6 curl "$PUBKEY_URL" \
7 | sudo sh -c "gpg --dearmor \
8 > '$KEYRING'"
9 wget -q -O - "$PUBKEY_URL" \
10 | sudo sh -c "gpg --dearmor \
11 > '$KEYRING'"
12
13 ### MATRIX
14 wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg \
15 https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
16
17 ### UNIVENTION
18 KEYRING="univention"
19 URL="https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=index&search=0xD5FDF01E8A0E2AFA55E3CDF8DAA7120CFB520FFD"
20 wget -O /usr/share/keyrings/${KEYRING}-keyring.gpg \
21 "$URL"
22 curl "$URL" \
23 |sudo sh -c 'gpg --dearmor \
24 > /usr/share/keyrings/${KEYRING}-keyring.gpg'
Files in /etc/apt/trusted.gpg.d/ are considered to be used to validate the package signatures. When the key is not copied to this directory a modifier that specifies the public key to validate the package signature must be used in the respective sources.list entry.
1 deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/
With gpg alone
1 KEYRING_DIR="/etc/apt/keyrings"
2 KEYRING_FILE="bareos-keyring.gpg"
3 KEYRING="$KEYRING_DIR/$KEYRING_FILE"
4 KEY_IDS=( "0CCBA537DBE083A6" "42DA24A6DFEF9127" "E01957D6C9FED482" )
5 for KEY_ID in "${KEY_IDS[@]}"; do
6 gpg --keyserver "keyserver.ubuntu.com" \
7 --recv-keys "$KEY_ID"
8 gpg --export "$KEY_ID" \
9 >> "$KEYRING"
10 done
11 ### LINK TO APT TRUSTED KEYS
12 ln -s "$KEYRING" \
13 "/etc/apt/trusted.gpg.d/"
14 apt-key list ${KEY_IDS[*]}
1 KEYRING_DIR="/etc/apt/keyrings"
2 KEYRING_FILE="wine-keyring.gpg"
3 KEYRING="$KEYRING_DIR/$KEYRING_FILE"
4 LONG_IDS=( "D43F640145369C51D786DDEA76F1A20FF987672F" )
5 unset KEY_IDS
6 declare -a KEY_IDS
7 for ID in "${LONG_IDS[@]}"; do
8 KEY_IDS+="$(cut -c 25- <<< "$ID")"
9 done
10 echo "Key IDs: '${KEY_IDS[*]}'"
11 for KEY_ID in "${KEY_IDS[@]}"; do
12 gpg --keyserver "keyserver.ubuntu.com" \
13 --recv-keys "$KEY_ID"
14 gpg --export "$KEY_ID" \
15 >> "$KEYRING"
16 done
17 ### LINK TO APT TRUSTED KEYS
18 ln -s "$KEYRING" \
19 "/etc/apt/trusted.gpg.d/"
20 apt-key list ${KEY_IDS[*]}
To distrust the owner/repo, simply delete the file in
/etc/apt/trusted.gpg.d/
Check Key-ID
pass
Directory structure
#WIP
The passwords are organized in a hierarchical tree. So may want to put some effort in creating a nice directory tree. Also qtpass sort is case-sensitive (capitals first).
1st possible structure
- corp-name/
- domain-name/
- domain-name/totp/
- customers/
- domain-name/
- domain-name/totp/
- customer-name/domain-name/
- customer-name/domain-name/totp
- personal/person-name/domain-name/
- personal/person-name/domain-name/totp
2nd possible structure
- corp-name/
- domain-name/
- domain-name/totp/
- personal/person-name/domain-name/
- personal/person-name/domain-name/totp
- customers/
- domain-name/
- domain-name/totp/
- customer-name/domain-name/
- customer-name/domain-name/totp
- customer-name/personal/person-name/domain-name/
- customer-name/personal/person-name/domain-name/totp
Share secrets
The keys stored in ~/.password-store are encrypted with the public-keys listed in the respective file .gpg-id. You may list them with
find ~/.password-store -name .gpg-id
To share a secret the receiver must be able to decrypt the key. With asymmetric cryptography the secret has to be encrypted using the public key of the receiver first. Therefor the pub key has to be added and the whole tree or subtree has to be encrypted with the new pub key again.
Determine the long keyid
gpg#List keys
Add the new pub key
Encrypt a whole hierarchy of the password store with the new keys
Encrypt a hierarchy of the password store with the respective keys
1 pass init -p totp $(cat ~/.password-store/totp/.gpg-id|xargs)
git
Signing
Git Cola
Options for signing
Signing and pushing